TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Elastic Security Labs has uncovered a previously undocumented banking trojan dubbed TCLBANKER, tracked under the moniker REF3076, that targets 59 banking, fintech, and cryptocurrency platforms primarily in Brazil. The malware represents a major update to the older Maverick banking trojan family, which was known to use the SORVEPOTEL worm to spread via WhatsApp Web. Attribution for the Maverick campaign, and by extension TCLBANKER, goes to a threat cluster that Trend Micro tracks as Water Saci.

The attack chain starts with a ZIP file containing a malicious MSI installer that abuses a signed, legitimate Logitech program called Logi AI Prompt Builder via DLL side-loading. When the MSI is executed, it loads a malicious DLL named "screen_retriever_plugin.dll" that acts as a loader with a comprehensive watchdog subsystem. This subsystem continuously monitors for analysis tools, sandboxes, debuggers, disassemblers, instrumentation tools, and antivirus software to avoid detection.

Researchers Jia Yu Chan, Daniel Stepanic, Seth Goodwin, and Terrance DeJesus of Elastic note that the malicious DLL only executes if it is loaded by either "logiaipromptbuilder.exe" (the legitimate Logitech program) or "tclloader.exe", a likely testing executable used by the threat actors. The loader also removes usermode hooks placed by endpoint security software within "ntdll.dll" by replacing the library entirely, and disables Event Tracing for Windows (ETW) telemetry to avoid logging of malicious activity.

To further evade analysis, TCLBANKER generates three unique fingerprints based on anti-debugging and anti-virtualization checks, system disk information, and language settings. These fingerprints are combined into an environment hash value used to decrypt the embedded payload. A critical check here is for Brazilian Portuguese as the system's default language. If a debugger or virtualization environment is detected, the environment hash is incorrect, so the decryption keys derived from the hash fail, and TCLBANKER stops executing entirely.

Once the loader successfully decrypts the payload, it launches the main banking trojan component, which again verifies the system is set to Brazilian Portuguese. It establishes persistence via a scheduled task, then beacons to an external command and control (C2) server with an HTTP POST request containing basic system information. The trojan includes a self-update mechanism and a URL monitor that extracts the current URL from the foreground browser's address bar using Windows UI Automation. This monitor supports all major browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, and Vivaldi.

The extracted URL is matched against a hard-coded list of 59 targeted financial institutions. If a match is found, TCLBANKER establishes a WebSocket connection to a remote server and enters a command dispatch loop, giving operators extensive control over the infected device. Available commands include running shell commands, capturing screenshots, starting or stopping screen streaming, manipulating the clipboard, launching a keylogger, remotely controlling the mouse and keyboard, managing files and processes, enumerating running processes, listing visible windows, and serving fake credential-stealing overlays.

To steal data, TCLBANKER uses a Windows Presentation Foundation (WPF)-based full-screen overlay framework for social engineering. These overlays include credential harvesting prompts, vishing wait screens, bogus progress bars, and fake Windows Update notifications, all designed to trick users into handing over login details or two-factor authentication codes. The overlays are hidden from screen capture tools to avoid detection by users trying to record suspicious activity.

Alongside the banking trojan, the loader invokes a worm module to propagate the malware at scale via two trusted communication channels: WhatsApp Web and Microsoft Outlook. This dual approach allows TCLBANKER to bypass traditional email gateways and reputation-based defenses, since messages are sent from already-authenticated, trusted accounts of infected victims.

The WhatsApp Web worm hijacks authenticated browser sessions for WhatsApp, retrieves messaging templates from the C2 server, and uses the open-source WPPConnect project to automate sending phishing messages to the victim's contacts. It filters out group chats, broadcast lists, and non-Brazilian phone numbers to focus on high-value targets. The Outlook component is an email spambot that abuses the victim's installed Microsoft Outlook application to send phishing emails from their legitimate email address. This makes the messages far more likely to bypass spam filters, as they appear to come from a trusted contact.

Elastic Security Labs researchers note that TCLBANKER reflects a broader maturation of the Brazilian banking trojan ecosystem. Techniques once reserved for sophisticated state-sponsored actors, such as environment-gated payload decryption, direct syscall generation, and real-time social engineering orchestration over WebSocket, are now common in commodity crimeware. The use of hijacked WhatsApp and Outlook accounts for distribution creates a trust-based delivery model that most traditional defenses are not equipped to handle.

"The campaign inherits the trust and deliverability of legitimate communications by hijacking victims' WhatsApp sessions and Outlook accounts," the Elastic team wrote in their analysis. "This is a distribution model that traditional email gateways and reputation-based defenses are ill-equipped to catch."

Practical Advice for Users and Organizations

For individual users, especially those in Brazil or with accounts at targeted financial institutions, several steps can reduce risk:

• Never open unsolicited ZIP or MSI files, even if they appear to come from a known contact. TCLBANKER spreads via hijacked WhatsApp and Outlook accounts, so trusted contacts may unknowingly send malicious files.
• Verify any requests for credentials, two-factor codes, or financial information via a separate communication channel. Do not click links in messages or emails without confirming the sender intended to send them.
• Monitor for unexpected scheduled tasks on your device, especially those referencing "tclloader.exe" or Logitech AI Prompt Builder.
• Use endpoint security tools that detect DLL side-loading, usermode hook removal, and ETW tampering, all common techniques used by TCLBANKER.
• Enable strong two-factor authentication on all financial accounts, preferably using hardware keys or app-based codes rather than SMS, which can be intercepted.

For organizations, especially financial institutions and companies with Brazilian user bases:

• Monitor network traffic for connections to known TCLBANKER C2 domains, and block traffic to untrusted WebSocket endpoints.
• Detect and alert on DLL side-loading attempts involving Logitech AI Prompt Builder or "screen_retriever_plugin.dll".
• Restrict the use of WPPConnect and similar WhatsApp automation tools on corporate devices unless explicitly approved for business use.
• Educate users on the risks of phishing messages sent via trusted communication channels, including WhatsApp and internal Outlook accounts.
• Use EDR solutions that can detect anti-analysis techniques like environment fingerprinting, debugger detection, and virtualization checks.